Re: Creating a note track for Strict CSP

Hey Jun!

I agree that this would be valuable, but I'm not sure that a separate
Note-track document is the right path: I think it's pretty reasonable to
add recommendations like this directly to CSP's "Authoring Considerations"
section instead, as a more direct indication of the ways in which CSP can
be securely deployed. Perhaps you could work with Lukas Weichselbaum to
condense https://web.dev/strict-csp/ into a few paragraphs? I'd happily
review such a PR.

Tangentially, I'd also like
https://github.com/mikewest/securer-contexts#what-defenses-would-securecontextinjection-require
to eventually become a thing (though not with the spelling proposed there),
which would require/create a normative definition of a subset of CSP that
could impact the availability of certain APIs, just as [CrossOriginIsolated
<https://webidl.spec.whatwg.org/#CrossOriginIsolated>] does today. I wonder
if others would be interested in that as well?

-mike

On Fri, Oct 22, 2021 at 9:55 PM Jun Kokatsu <Jun.Kokatsu@microsoft.com>
wrote:

> Hi All,
>
> While advocating internally within Microsoft about Strict CSP
> <https://web.dev/strict-csp/>, I've got the following words 🙂
>
> We talked to a security person within our org to try to better understand
> what are the implications of adding “Strict CSP” to XYZ. However, quoting
> our sec expert it seems like *“"Strict CSP" is an informal term used by
> people from industry, I don't recall seeing it in the standard”.*
>
>
> While I was little frustrated, I do think this person also has a point
> that Strict CSP has mostly been talked by Google (though probably it's
> deployed to some other sites <https://mitigation.supply/> too).
>
> I wonder if we can create a note track about Strict CSP (just like Post-Spectre
> Web Development <https://www.w3.org/TR/post-spectre-webdev/>), assuming
> people agree that Strict CSP is something that can be recommended by
> WebAppSec WG.
>
> Please let me know what you all think 🙂
>
> Thanks,
>
> Jun
>